https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268696#M80813 <P>Based on this link:<BR /> <A href="http://docs.splunk.com/Documentation/Hunk/6.4.1/HunkReleaseNotes/Releasenotes">http://docs.splunk.com/Documentation/Hunk/6.4.1/HunkReleaseNotes/Releasenotes</A> -- See ERP-1901 - there was an issue with CSV extraction but it was fixed in 6.4.1.<BR /><BR /> I am checking to see if that same fixed is also in 6.4.2</P> Thu, 28 Jul 2016 15:15:37 GMT rdagan_splunk 2016-07-28T15:15:37Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268689#M80806 <P>I am trying to configure the props and transforms conf files for logs that's in .csv format that we're querying via a virtual index in Hunk.</P> <P>My props.conf file is configured as follows:</P> <PRE><CODE>[source::/LogCentral/Applications/Shibboleth_PRD/*] sourcetype = shibboleth [shibboleth] REPORT-manual-shib = manual-shib </CODE></PRE> <P>My transforms.conf file is configured as follows:</P> <PRE><CODE>[manual-shib] DELIMS = "," FIELDS = username,mfa_service_code,date_requested,mfa_ip_address,mfa_value_returned,mfa_required,zip,latitude,longitude,timezone,country_code,country,city,isp,organization_name,as_name,region,region_name,audit_date_created,audit_created_by,audit_date_modified,audit_modified_by </CODE></PRE> <P>I restart Hunk/Splunk service and when I run a search (index=shibboleth), the fields aren't being extracted.</P> <P>Any help on what I'm missing or fat-fingered in my configs would be greatly appreciated.</P> <P>Thx</P> Thu, 21 Jul 2016 20:43:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268689#M80806 jwalzerpitt 2016-07-21T20:43:54Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268690#M80807 <P>I even modified my props.con file as follows and still no automated field extraction:</P> <PRE><CODE>[source::/LogCentral/Applications/Shibboleth_PRD/*] sourcetype = shibboleth REPORT-manual-shib = manual-shib KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Custom description = Comma-separated value format. Set header and other settings in "Delimited Settings" pulldown_type = true </CODE></PRE> Thu, 21 Jul 2016 21:00:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268690#M80807 jwalzerpitt 2016-07-21T21:00:10Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268691#M80808 <P>The following speaks about it <A href="https://answers.splunk.com/answers/123029/hunk-conditional-record-format.html">Hunk - Conditional Record Format</A></P> <P>What is the path for your configurations? </P> Thu, 21 Jul 2016 21:01:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268691#M80808 ddrillic 2016-07-21T21:01:08Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268692#M80809 <P>What configurations? props and transforms?</P> <P>Thx</P> Thu, 21 Jul 2016 23:22:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268692#M80809 jwalzerpitt 2016-07-21T23:22:30Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268693#M80810 <P>Right ; - )</P> Fri, 22 Jul 2016 02:27:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268693#M80810 ddrillic 2016-07-22T02:27:49Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268694#M80811 <P>[source::/LogCentral/Applications/Shibboleth_PRD/*]<BR /> should be <BR /> [source::/LogCentral/Applications/Shibboleth_PRD/...] </P> Tue, 29 Sep 2020 10:24:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268694#M80811 rdagan_splunk 2020-09-29T10:24:55Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268695#M80812 <P>Thx for pointing out that error. I fixed that source to /... and then re-ran the query but the fields still aren't being extracted. I opened a case with Splunk as all sources I have (properly set to /...) are also no longer having fields automatically extracted. This issue seemed to have arose when I updated to version 6.4.2.</P> <P>Thx</P> Thu, 28 Jul 2016 12:39:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268695#M80812 jwalzerpitt 2016-07-28T12:39:02Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268696#M80813 <P>Based on this link:<BR /> <A href="http://docs.splunk.com/Documentation/Hunk/6.4.1/HunkReleaseNotes/Releasenotes">http://docs.splunk.com/Documentation/Hunk/6.4.1/HunkReleaseNotes/Releasenotes</A> -- See ERP-1901 - there was an issue with CSV extraction but it was fixed in 6.4.1.<BR /><BR /> I am checking to see if that same fixed is also in 6.4.2</P> Thu, 28 Jul 2016 15:15:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268696#M80813 rdagan_splunk 2016-07-28T15:15:37Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268697#M80814 <P>Thx for checking. </P> <P>I have three other sources - Cisco ISE, Cisco ASA, and Windows Event Logs - whose fields were being extracted before I updated to version 6.4.2. For those three sources I was using the relevant add-ons: Splunk_CiscoISE (with Splunk_TA_cisco-ise), Splunk_TA_windows, and Splunk_TA_cisco-asa.</P> <P>Here are the stanzas for those three from my props.conf file:</P> <PRE><CODE>[source::/LogCentral/Applications/ISE_PRD/...] sourcetype = cisco:ise:syslog DATETIME_CONFIG = NO_BINARY_CHECK = true SHOULD_LINEMERGE = false [source::/LogCentral/Applications/Firewall_PRD/...] sourcetype = cisco:asa [source::/LogCentral/WindowsEvent/PRD/...] sourcetype = windows_snare_syslog </CODE></PRE> Tue, 29 Sep 2020 10:25:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268697#M80814 jwalzerpitt 2020-09-29T10:25:09Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268698#M80815 <P>I tried 6.4.2 with a CSV file, and Hunk did the right thing without any entry in the props.conf. Hunk auto translated the CSV to a JSON visualization automatically </P> Tue, 02 Aug 2016 00:23:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268698#M80815 rdagan_splunk 2016-08-02T00:23:31Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268699#M80816 <P>Thx for the update.</P> <P>I tried extracting fields and then saved the extracted fields, restarted Splunk, and the fields still didn't extract.</P> <P>Waiting to work with Splunk support...</P> Tue, 02 Aug 2016 12:29:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-our-props-conf-and-transforms-conf-to-parse-a-CSV/m-p/268699#M80816 jwalzerpitt 2016-08-02T12:29:08Z